Analysis Module¶

An analysis module is what takes an observable and generates analysis as output.

Analysis modules are what make up the core of ACE. They contain the custom analysis logic that does most of the work.

The modules that are part of the base installation are documented here.

Configuration¶

An analysis module is defined in the configuration settings by sections with the format [analysis_module_NAME] where NAME is a unique name for the module in the configuration.

This NAME is often used to reference the analysis module in the available command line tooling.

The configuration settings support a number of base options as defined below.

[analysis_module_NAME]
module =
class =
instance =
enabled =
module_groups = ; deprecated
exclude_UNIQUE_NAME =
expect_UNIQUE_NAME =

; optional parameters
priority =
threaded =
threaded_execution_frequency =

The module and class values define the module-class specification which tells ACE what python class to load for the module.

The optional instance value defines an instanced analysis module (see below.)

The enabled boolean value enables and disables the module. A module that is disabled here is disabled for the entire engine. There are other ways to enable and disable analysis modules.

Instanced Analysis Modules¶

An analysis module can be instanced if it defines an instance property in the configuration section.

An instance makes an analysis module more unique. This is useful if the analysis module is made up entirely of configuration data (see below.)

Analysis that is generated by instanced analysis modules have a matching instance property.

Analysis Modules Defined By Configuration¶

You can define new analysis modules entirely by configuration by using instanced analysis modules. While all modules support being instanced, it only makes sense for ones that have a different behavior depending on the configuration.

For example, an analysis module that can query a data lake could contain a configuration option that specifies the query to execute and uses variable interpolation to apply parameters to the query. By designing the module this way, new "analysis modules" with different queries can be created by simply creating new [analysis_module_] configuration sections and specifying the same module-class specification but a different instance value.